• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

"Deny Inbound" and "Alias Match" kill ALL outbound states during reload

Scheduled Pinned Locked Moved pfBlockerNG
3 Posts 2 Posters 347 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    totowentsouth
    last edited by May 20, 2024, 3:07 AM

    pfSense/pfBlockerNG kills existing OUTbound states with IPs in "Deny Inbound" and "Alias Match" IPv4 categories.
    I suspect and have not verified the other action types will kill matching states regardless of direction.

    Running pfSense 24.03-RELEASE on Netgate hardware with pfBlockerNG 3.2.0_10

    In Firewall > pfBlockerNG > General, Kill States is checked.

    A "Deny Inbound" config is:

    Firewall > pfBlockerNG > Edit > IPv4 is as follows:
    Alias Name: Google_ASN
    IPv4 Lists: Format: ASN, State: ON, Source: AS15169 [ GOOGLE, US ], Header/Label: AS15169
    List Action: Deny Inbound
    Update Frequency: Once a day
    Enable Logging: Disabled
    States Removal: Enable

    The pfBlockerNG log file has entries with multiple Google IPv4 addresses and private LAN IPv4 connected to those IPv4:

    [ pfB_Google_ASN_v4 ] Removed 2 state(s) for [ 130.211.16.53 ]

	igc1 tcp 130.211.16.53:443 <- 192.168.X.Y:59190       FIN_WAIT_2:FIN_WAIT_2
	ix3 tcp 167.248.12.173:59190 (192.168.X.Y:59190) -> 130.211.16.53:443       FIN_WAIT_2:FIN_WAIT_2

    More "alias configs" with different IPv4 addresses and "List Action" set to "Alias Match" exist. The pfblockerng update log contains entries similar to the above example with IPv4 addresses in these "Alias Match" configurations.

    An old thread describes states NOT killed when aliases are updated:
    https://forum.netgate.com/topic/121921/states-not-being-killed-pfblockerng

    The description of the global kill states option, emphasis mine:

    When 'Enabled', after a cron event or any 'Force' commands, any blocked IPs found in the Firewall states will be cleared.

    Is the intent of the "States Removal" option for individual configs to be set to "Disabled" to skip the kill state action when the "List Action" is set to one of the non-deny-both types?

    1 Reply Last reply Reply Quote 0
    • T
      tman222
      last edited by Oct 6, 2024, 5:22 PM

      Hi @totowentsouth - I'm curious if you ever found a resolution to this? I ran into the same issue yesterday and also wondered whether disabling "States Removal" on the individual list is the solution / workaround? I'm also a bit perplexed why outbound states are being removed if the List Action with the IP addresses in question is set to e.g. Deny Inbound. Thanks in advance.

      T 1 Reply Last reply Oct 7, 2024, 3:00 AM Reply Quote 0
      • T
        totowentsouth @tman222
        last edited by Oct 7, 2024, 3:00 AM

        @tman222 Yes, disabling the "States Removal" for the particular list(s) is what I did as a workaround. I looked for the code responsible when I made the post and recall pfblockerng is behaving as described in my first post. That is, if an IP address in a list is found in states, and "States Removal" is enabled, regardless of the "List Action", the state is removed. I retired my investigation since.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received